Cloud provider: The best security for your passwords is to never give them to us

Ethan Oberman, CEO of cloud backup and sharing service SpiderOak, has a proposition for enterprises that may be leery about using the cloud because of a perceived lack of security. The best security for cloud storage, he says, is to encrypt the data and not give your service provider the keys to unencrypt it.

That's what SpiderOak does: "We can't even look at the data if we wanted to," he says.

Started in 2006 with a focus on consumer-grade data storage, the company had two basic goals: Be a central repository for file sharing and data collection, and focus on privacy and security. "We wanted to dispel the myth that just because it's online doesn't mean it can't be private," he says. SpiderOak brands itself as a "zero-knowledge" cloud storage provider, meaning the company has no knowledge of the data being stored in its cloud. That means if government officials demanded the information, SpiderOak wouldn't be able to supply unencrypted access to it. If hackers were to penetrate SpiderOak's cloud, they wouldn't have access to unencrypted data either.

SpiderOak works by users installing an access client, which is a software running on laptops, PCs or a range of mobile devices, including Android and iOS. The client automatically encrypts any data that is stored in the SpiderOak cloud, which is housed in a series of colocation facilities. The data is encrypted using standard AES 256 technology; it is uploaded to the cloud encrypted and is not unencrypted until the user requests access to the data. Other file backup and synchronization services, such as competitor DropBox, Oberman says, store data by default in plain text, meaning the company could theoretically have access to that data.

In recent years, Oberman says SpiderOak has broadened its appeal into the consumer market with its SpiderOak Blue product, aimed at enterprises. Today, SpiderOak announced a version of its software that can be installed behind a company's firewall, so that it has no interaction with SpiderOak's public cloud and all of the cloud storage is done locally. This gives users the same access to the automated encryption technology, along with the access clients, but the data is stored on the customer's site, in what SpiderOak calls a private storage cloud. A division of the Department of Defense, he says, has been one of SpiderOak's beta customers on the product, which is generally available today. Pricing for SpiderOak's service begins at up to 2GB for free, and sells for $10 per month for 100GB and $100 per year for additional 100GB increments.

The service is competitive with DropBox, Box, SugarSync and other cloud storage and synchronization services, says security analyst Richard Stiennon of research firm IT-Harvest. But, while SpiderOak competitors may use an SSL connection, or even an AES 256 encryption, if they are storing the user credentials with the keys to the encryption, then Stiennon says there are vulnerabilities that could be exploited by hackers.

Zero knowledge has some risks too, though, he notes. If SpiderOak guarantees that it is not able to hand over information to authorities, hackers and criminals themselves may look to such solutions as a safe haven. Using a zero-knowledge policy is not a new concept; there are zero-knowledge Web hosting services, proxy servers and encrypted email solutions, such as Hush Mail. Stiennon says those have in the past been used by hackers to launch attacks. Still, he says the benefits largely outweigh many of those concerns for enterprises looking for a secure file sharing system.

There are other ways to achieve the same result without using a service such as SpiderOak, Stiennon says. For example, a user could encrypt the files themselves, store the keys on site and then ship the data up into the public cloud. Firms such as Trend Micro can aid in that process, he says, but SpiderOak has automated the encryption process and made access to the files easy with its Web clients.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Related Whitepapers

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.